Abstract

Computer forensics is performed during a security incident response process on disk devices or on memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyze it with proper tools. Many of those security incidents are caused by malware that targets and persists as long as possible in a Windows system within the organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence features, program loader abuse, application abuse, and system behavior abuse. For each extensibility point we also detail its characteristics (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce in this paper the tool Winesap, a Volatility plugin that analyze the registry-based Windows ASEPs in a memory dump. We also state the order of execution of some of those registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all those registry-based Windows ASEPs as suspicious registry key values.